Posted
by
CmdrTaco
on Tuesday August 17, 2010 @04:22PM
from the thats-a-lotta-xp dept.

tcd004 writes "In a weekend, programmer Austin Heap transformed from an apathetic MMO player to a world class regime-slayer. When word for Iran's rigged election broke over Twitter, Heap decided to dedicate himself to building a better proxy system for people behind Iran's firewall. Heap's creation, Haystack, conceals someone's real online destinations inside a stream of innocuous traffic. You may be browsing an opposition Web site, but to the censors it will appear you are visiting, say, weather.com. Heap tends to hide users in content that is popular in Tehran, sometimes the regime's own government mouthpieces."

Why is this article being put out now? The Iranian elections were awhile ago

Maybe they think those of us pointing out that the elections weren't rigged will have got bored and gone away by now or that endless repetition will have made the "rigging of Iranian elections" accepted history at last.

There's no good evidence that Iran's elections were rigged. Whether Western powers like it or not, Ahmadinejad seems to have won legitimately. He's actually very popular in rural areas and not unpopular in Tehran,

Here's one snip from one result"The AP reports that Iran's parliament on Wednesday voted in favor of a bill that could lead to death penalty for persons convicted of working in the production of pornographic movies. "

"Adnkrnonsinternational reports that under the new law, anyone distributing pornographic material can be sentenced to a fine of up to 16,000 euros while owners of a porn video or film risk up to 76 lashings. "

I hate moral dictatorship. It doesn't matter if it's coming from a Muslim government, the Church of Rome, or politicians. Ya know... it's my life. If I want to be an asshole that looks at porn, doesn't go to church, and keeps to himself, I have that right. Stop trying to force me to adopt your moral beliefs.

So this HAYSTACK program. Would it work in the US and EU? It appears the answer is "no" since it was specifically designed for Iraq.

> If I want to be an asshole that looks at porn, doesn't go to church, and keeps to himself, I have that right.

It would sound much better if you would replace that 'and' with an 'or'.

Also you have to understand those overly religious societies. They are under considerable stress while surviving in a harsh environment by any means possible (if there is no stress you can create some, i.e. with lacking medical insurance). This creates a situation where even the most basic needs of a human being may remain u

Iranian law is pretty tough on smut.... death penalty for persons convicted of working in the production of pornographic movies....

Meh. This is Iran we're talking about. I'm pretty sure they have the death penalty for driving without a seatbelt. A law isn't considered "tough" there unless the punishment involves teeth pulling and genital mutilation.

This isn't like Counterstrike where you can just straight up ban someone by IP for doing something you don't like - not only can the authorities not watch everything but also the internet itself is so complex that's hard to determine what's happening precisely.

Is there any way for you to tell right now if I'm using a proxy or not?

No, but I'd think that in an extremely censored nation they might only allow citizens to connect through specified egress points or exchanges which could be monitored. I guess the point of the software is to mast that activity, but is it really a stretch to see a government hell bent on controlling its citizens start using a white list?

The mullahs are the highest authority in the country, and they are not answerable to elections. They also have their own private army which is not responsible to the voice of the people even in the most abstracted fashion. Hard to claim that's not a dictatorship.

"Theocracy is a form of government in which a god or deity is recognized as the state's supreme civil ruler, or in a higher sense, a form of government in which a state is governed by immediate divine guidance or by officials who are regarded as divinely guided."

"Iran's government is described as a "theocratic republic".Iran's head of state, or Supreme Leader, is an Islamic cleric appointed for life by an elected body called Assembly of Experts. The Council of Guardians, considered part of the executive branch of government, is responsible for determining if legislation is in line with Islamic law and customs (the Sharia), and can bar candidates from elections, and greenlight or ban investigations into the election process."

A dictatorship is ruled by an individual. So like Iraq before Operation Iraqi Freedom kicked him out of power.

Not necessarily. Ever hear the phrase "dictatorship of the proletariat" within Marxist-Leninist thought? There the dictatorship would be ruled by the working class as a whole.

If you bothered looking up "theocracy" in the dictionary, then you should have looked up "dictatorship" too. Merriam-Webster give as their third definition: "3 a : a form of government in which absolute power is concentrated in a dictator or a small clique b : a government organization or group

Look, a dictionary is a normal tool for looking up the meanings that have been ascribed to words. In spite of the OP's claim, the word "dictatorship" is regularly used in the English language to describe governments like Iran's. The Wikipedia article is wrong inasmuch as it attempts to fix the word to a single meaning, while standard dictionaries like M-W which I cited above and the OED show it has a range of usages.

Ever heard someone refer to Internet Explorer as "The Internet"? Does it make your teeth grind? Same principle, I'm afraid. Those of us who understand the meanings of words have a responsibility to use them correctly and lead by example.

The word you are looking for is oligarchy - unelected men that sit on the top and make the rules.

Kinda like our unelected Supreme Court Oligarchs. (I'm still trying to find the part of the US Constitution that the Court claims allows them to ban obscene material. I swear it's not there, even though they claim it is. Hmmm.)

Already happening. Just about anyone running a Tor Exit node is at risk for Kiddie porn charges. I had friends that set up Tor nodes during the Iran unrest. One of them decided to see if it was doing any good and was shocked that more than half the traffic was actually porn and a fair amount of it kiddie porn. As soon as he told the others, everyone stopped hosting the nodes and a couple even Dbaned their HDD's. No one wanted to risk being caught. None of them were rich enough to fight it.

How you can do it without a proxy. Open up one tab of your real destination. And 8 other innocuous tabs. Then generate a volume of traffic on those tabs, occasionally clicking on the first, real one.

You can't "hide" your destination in volume. People don't search that, computers do. If there is a DNS entry resolved, or a host IP used, it can be logged. You're not hiding anything, or even pissing anyone off. You can't even hide your destination in SSL. All they need is a databse of IPS taged with topics, and

Less than a month and many all-nighters later, Heap and a friend had created Haystack. The anti-censorship software is built on a sophisticated mathematical formula that conceals someone's real online destinations inside a stream of innocuous traffic. You may be browsing an opposition Web site, but to the censors it will appear you are visiting, say, weather.com.

This doesn't make sense. It still has to connect to and load the BAD website, too...

Other anti-censorship programs--such as Tor, Psiphon, or Freegate--can successfully hide someone's identity, but censors are able to detect that these programs are being run and then work to disable the communication. With Haystack, the censors aren't even aware the software is in use. "Haystack captures all outgoing connections, encrypts them, and then masquerades the data as something else," explains Heap. "If you want to block Haystack, you are gonna block yourself."

OK, this makes so little sense I can't even figure out how to respond to it.

Heap intends to gradually develop Haystack's presence in the country. He has started to share it with select activists and trusted individuals on an invitation-only basis. They will then be asked to share it with their friends. It is the same model that was originally followed by Google's Gmail. The targeted approach is smarter from a security standpoint. Also, he doesn't want the software to collapse from low-value demand.

Yeah, I think there is a bit of hype involved. It sounds basically like an obfuscating proxy server. Requests and data are encrypted and obfuscated in normal requests to innocuous websites like weather.com.

The thing is that it still will require use of a proxy server, and it most certainly can be EASILY detected with a number of methods, ranging from diff-ing to statistical analysis of data being transferred. I have no doubts that the Iranian government has the ability to get a copy of the software and dete

Thank you for those links. After reading in more detail, I think I'm kind of sticking with my claim of bullshit. Of course I wouldn't put it so strongly now but I still don't see how he can do what he is claiming and make it difficult (or as he claims, IMPOSSIBLE) to block.

In Iran, the state has draconian control over the press as well as any "companies" which act as communication feeds. Not so in the US, where communications companies are (for the most part) autonomous and protected like a sacred cow (thanks to the First Amendment).

I think a better analogy would be blocking porn (child or otherwise) in Iran. I don't live there, and I don't directly know anyone who does, but the known/published government actions and policies are VERY strict, so I would expect there would be a LOT less ability to access porn of *any* kind in Iran.

In contrast, in the US, there is very little to no active efforts to filter anything, but rather to detect actual access to illegal porn and prosecute at the individual lawbreaker level. However, even that is a spotty and half-hearted effort at best.

In Iran, you have to register your website with the government, and they can and do block access country-wide to popular internet sites as they deem unfit (YouTube, for example).

As a result, while it is not impossible to get access to internet content deemed verboten by the state there, the bar has been significantly raised to do so. Thus, any claims to circumvent it without some really revolutionary technology to back them up have to be taken with a grain of salt. That said, I am glad the guy made the effort, and happy for what little freedom it may provide to someone in Iran looking for hope outside their dismal state of being there, but I also don't want people to get snookered into a false hope that this is something far more than what it claims. Over there, people are jailed/murdered by the state for violating their insanely draconian laws.

"at the same time allows users to security use normal web browsers and network applications.""Haystack hides traffic to any from the internet at large inside traffic ""The executable is under half a megabytes ""We would like to see our as many people as possible assert their human right to free expression.""revealing the source code at this time would only aide the authorities"

Plus their FAQ logo actually says QFA. If they pay so little attention to detail on their site, I can just imag

It's basically security through obscurity. A dangerous, but popular, past-time that never actually delivers at the end of the day. Not through lack of sincerity (necessarily) but through the fact that such a method is inherently flawed. Being easy doesn't mean it's any good. It's ultimately why steganography alone is not secure - there will be fingerprints (always) that allow you to separate the two signals and thus yield the original message, if the message is kept as-is. In the case of steganography, the

I agree. Looks to me like this can go one of three ways.
1) It's real and someone relies upon it and gets caught and punished because it has failed, or
2) It's actually been created by the Iranian government, or
3) It's a scam and totally fake
I'm leaning toward (3) right now.

Given that the regime in question is still very much in control, and that the only slaying that was done was by the regime, I find the term "regime slayer" to be laughable at best and really offensive at worst for those that hoped for better for the Iranian people.

That was an extreme case showing that sometimes, mere communication is not enough to evoke change.

As this article in Foreign Policy explains, the Internet, especially Twitter, didn't contribute nearly as much to the protests in Iran as has been reported: Misreading Tehran: The Twitter Devolution [foreignpolicy.com]. "Word of mouth was by far the most influential medium used to shape the postelection opposition activity." Other major media included text messages and email, which this software wouldn't help much with.

Efforts to counter censorship and intrusive government monitoring should be applauded, but it's a bit premature to call this "world class regime-slaying."

Haystack is currently available to a select number of users in Iran in our beta phase and is being prepared for a final release. We plan to start our official release of haystack as soon as we obtain the necessary funds to expand our network capacity to support a sufficiently large number of users.

I would like to learn more about how this actually works, though...I'm kind of disappointed that TFA was more of an informational piece about the developer than about the tech itself, though I guess I should have expected as much from the headline.

Haystack is currently in the beta testing stage, and we are in the process of working out the last kinks in the system. We are also in the process of taking care of a number of procedural hurdles that must be settled before the program is operational. We are aiming for a full release sometime this winter.

Security through obscurity is no security at all.
I strongly doubt that the existence of this system is a mystery to the government of Iran, at least not if it is beyond a certain level of popularity.

Uh, I don't really think this is obscurity. A more appropriate term would be obfuscation for this is exactly what Austin Heap's innovation is doing. This is a rather clever and ingenious way of getting around censorship. I also would not overestimate the Iranian government. If a URL can successfully be obfuscated, it would be difficult for censorship to uncover this.

The comment I was replying to indicated that it would be a bad idea to talk about the system, since it might tip off the Iranian government. My point was that if talking about the system makes it less useful, then it is not very secure to begin with.

The goal of the system is to avoid government censorship. If the government being aware of such a system allows them to be able to prevent it from being used, then the system does not solve the problem it is intended to solve. The second sentence was meant

My point was that if talking about the system makes it less useful, then it is not very secure to begin with.

You are thinking in terms of computer security, and there 100% correct.

The larger point, however, is that there may be other 'security' reasons not to talk about it.For example, more people involved in the project may find themselves in the spotlight. People have a physical life, and their actions can be spied - or worse.

Unfortunately, there is no 'by design' security protection against a bullet. Overall, as long as the thing does not make too many headlines, it seems we are better off - no matter how much

In this case it most certainly is. In fact, it's the only type of security possible. User A is trying to view site B without being detected by monitor C... the data must, inevitably, travel from B to A. If it also goes through D, E, F, G, H and I, and somewhere along the way appears to deliver to J, then A is somewhat less likely to get caught.

Unless you mean to say that Heap is only effective at obfuscating connections between points because nobody can see the code, in which case you're probably right.

Please see the comment I was replying to. OP said that it would be a bad idea to discuss the software; my point was simply that if discussing the software meant that it would be less effective, then it is not very good to begin with.

"I always love when someone talks about security through obscurity like they know what they are talking about.

The instant someone like yourself makes such a retarded comment you picked up from someone else or Wikipedia, those of us who DO know about it start chuckling inside."

Hey pal, I've got bad news for you but you are the one who doesn't know what the term means. You should be laughing at yourself for not understanding a term and then looking down upon others who do understand it. I hope you especially laugh at how incompetent Bruce Schneier is to use the term, because you are no doubt more competent than him (ROTFLMAO).

Of course, you're both playing semantics games. In a von Neumann machine, such as is every desktop computer, for example, the separation of data and program is superficial--it's just a psychologically-driven convention. It is also an extremely frequently violated convention (both by machine--Windows tends to rewrite memory-loaded images of binaries heavily--and by humans, in cases not just of the more rare virus-modifying code, but in every instance of scripting/interpreters/just-in-time compilation). Th

And by the same argument, a lead weight is indistinguishable from a light ray, because it's all just energy.

The fact that a key is bits and an (implementation of an) algorithm is bits does not mean that the two are indistinguishable from a security perspective when treated as a secret. I could start by quibbling about the size of the secret, but the more fundamental issue is how widely applicable is the secret (or, somewhat equivalently, how widely distributed is evidence of the secret).

That makes no sense what so ever. Bits can be code, and code can be bits. Despite any convoluted circumstance you come up with, EVERYTHING on your computer is bits. Period. In the context of a computer, data/code/bits are interchangeable. Only programmers make the semantic distinction between "code" and "data", and then only because it's convenient, not because there is any inherent difference in form.

8. In keeping the source code a secret, aren't you just relying on "security through obscurity"? Won't authorities eventually discover how your software works anyway?

This charge is difficult to rebut, because under normal conditions, "security through obscurity" is indeed false security. However, Haystack has several properties that make it a special case.

First of all, we do not rely on "obscurity" for protecting our users' privacy. Everything that one of ours users sends and receives is enciphered. It would take centuries for all the world's computers to decipher one of our users' browsing sessions even with full access to the Haystack source code.

"Obscurity," however, does make it much harder to find ways to block our software. Of course the authorities will pour resources into finding a way to do this, and they may temporarily succeed. In that event, we will refine our software and issue a new version that circumvents the restrictions. We will not, however, give the authorities any assistance in this process. By retarding their efforts, we ensure that the Haystack network operates more robustly for longer periods.

I always thought the phrase "security through obscurity" means protection by a weak or unstudied algorithm that is ad-hoc and thought to be unknowable. Passwords usually involve strong but publicly-known hashing algorithms. Isn't it better to rely on strong encryption techniques than merely obscure ones?

All computer security is through obscurity (passwords, encryption, both just security through obscurity). The lock on your homes door is security through obscurity (knowing the obscure key pattern).

Except, that isn't obscurity - that's a secret. The difference is subtle. However, one way to look at the issue is whether observation of a system will uncover the secret needed to defeat the system. I can study a cryptographic system without knowing how to defeat a given cryptographic key (unless that system is flawed). Likewise, buying the same brand lock shouldn't allow me to duplicate your house key (although many cheap home lock systems are pretty trivial to defeat - so maybe "security though obscu

This is such a comical misunderstanding of the phrase "security through obscurity" that I can't help but think you are trolling.

On the subject of your front door lock... that's a tumbler lock, and while you may argue that the key is the obscure part here, I would argue that such a lock operates on KNOWN principles, and does not employ any obfuscation what so ever. While a lock that looked like a standard tumbler lock, but actually used a secret combination of turns and push/pull on the key itself would

Living in a remote area would be security. The remoteness is the barrier to entry.

Security through obscurity is more like leaving your door unlocked, but living in a building where all the other doors are locked. Or having a locked door but leaving the window unlocked and using the fire escape. Or leaving the key under the mat. It's not security, it just keeps people from believing they're looking at something unsecured.

And the reason it's a major fail is that it is defeated by random actions that are f

Living in a remote area would be security. The remoteness is the barrier to entry.

The problem with that analogy is that a barrier to entry isn't the only aspect involved. All obscurity is a barrier to entry. The problem is that people's perception of the effectiveness of obscurity, of how much of a barrier is presented, is often surprisingly inaccurate.

Being in a remote area might not be much of a barrier if I have ways of discovering your address. Finding out your address is not only a remote location, but that location is a fortress dug in to the top of a mountain might present a di

Any piece of security software that can be unraveled by discussing it is not a solution. The article mentions that the developer is already trying to prepare counter-countermeasures, so hopefully this one has some extended relevance.

Also, please include citations when you make accusations like that. I pulled up a bunch of articles on the Iranian twitspam with no problem but found it harder to dig up reports of US Agencies doing the same (though I wouldn't be shocked if they had, this seems to go both ways).

Well, we do have an extensive [wikipedia.org] history [wikipedia.org] of meddling. [wikipedia.org] Okay, it's actually freaking huge. [wikipedia.org] Whether or not we actually did anything or not, I wouldn't blame Iran for believing that the US played some role in the recent turmoil.

Everyone else doesn't have an extensive history of meddling? So Russia, England, Germany, France, and on and on, don't have such histories? Name a big country, there's a good chance they have a history of meddling.

While we have undoubtedly exported some nasty results with our foreign policy, the US is also unique in the amount of good it has produced - you know, little things that better the world like computers, the internet, and a large amount of modern medical technology. Whether that has, overall, outweighed the evil we have produced, I'm just not sure and I doubt anybody can easily answer that question.

And I'm not really sure that the stuff done in the name of fighting communism was truly evil though some of th

I'm obviously responding to a troll here, but I'm not a person who hates this country. There are some things I don't like about this country, but I can't say that there's any other country where I'd prefer to live. Well, maybe Switzerland.

If some entity has a long history of doing X, it's pretty damn stupid not to expect them to do X. It has nothing to do with whether or not it's right or wrong, the US has a history of involving itself in foreign politics. There's no need to pass moral judgement on it, but it's a fact that the US has attempted to influence foreign politics with great frequency in the past.

Well they learned that a government could justify any erosion of rights and even start wars for resourses in far off nations by giving the people some imagined threat from a nation no-one really understands.

Iran has elections, but doesn't pick the right person, so it's a dictatorship. Same is true for Venezuela and Gaza, and any country over the past sixty years that made the mistake of voting for left-leaning leaders in the Western Hemisphere.

And what about China, Saudi Arabia, Egypt, etc? Well, they make us a shitload of money, or they at least follow our orders, so, you know. It's different.

Iran has elections, but they matter not a jot as the public don't get to elect the Revolutionary Guard, the only ones with real power.

I dislike the US's hypocrisy, and their meddling in world affairs, but you have to admit that the people in charge of Iran are scumbags. Not scumbags that give the US the moral authority to invade the country and steal the oil, but scumbags nonetheless.

Iran has elections, but doesn't pick the right person, so it's a dictatorship. Same is true for Venezuela and Gaza, and any country over the past sixty years that made the mistake of voting for left-leaning leaders in the Western Hemisphere.

Any country? Didn't know France, Sweden, Spain and basically all of Western Europe, and also half of South America became dictatorships for having voted for left-leaning leaders at some point in the past sixty years.

"Regime change isn't very effective when you have the Keystone Kops trying to carry it out for you."

Regime change isn't going to happen due to a few protesting students, and the mullocracy can choose to kill them off if they threaten Islamic control of government.

The people who want to change Iran will have to display a greater will to power than the Islamocracy. That's a very tough act to follow. It would require a Maoist level of ruthlessness, not the trifling discontent of a few young people.

"Regime change isn't very effective when you have the Keystone Kops trying to carry it out for you."
Regime change isn't going to happen due to a few protesting students, and the mullocracy can choose to kill them off if they threaten Islamic control of government.
The people who want to change Iran will have to display a greater will to power than the Islamocracy. That's a very tough act to follow. It would require a Maoist level of ruthlessness, not the trifling discontent of a few young people.

Spoken like someone who doesn't have a clue about Iran, Iranian demographics (more specifically age and racial demographics) or the current Iranian government.

Frankly I dont think you used enough made up scare words based around Islam, I'm surprised you didn't slip islamofacsist in there. To be frank, this kind of propaganda is weak, easy to see through and insult the intelligence of anyone who reads it.

But I'll hit you with the cluebat. Iran's population is primarily comprised of Persians, the government is primarily Arab. Due to the Iraq-Iran war in the 80's the 30-50 yr age bracket is severely depleted so the current theocracy has never had to deal with 20 somethings that don't remember the brutality of the Shah.

There are two armed forces in Iran, first the Iranian army which makes up the bulk of the forces and is almost exclusively ethnic Persian. Next is the Republican Guard, which is far smaller and almost exclusively Arab (Palestinian and Lebanese). The Republican Guard is used mainly as a police force. Arabs and Persians only have about 6000 years of recorded racial conflict so if a shooting war actually starts (which it wont) it will be over in a matter of days as the Persian army outnumbers the Republican Guard 10 to 1, has superior equipment and the support of the Persian people. Due to the fact that a large portion of the army will rebel if anyone gives the order to kill civilians en masse the Iranian government will not do this (they are theocratic, not stupid).

Finally we have multiple examples of how non-violent revolutions can be effective and lead to more stable states. India, Philippines (EDSA rebellion), Much of Eastern Europe in 1989 (czech, poland, east germany). New forms of communications have been able to organise non-violent revolutions more effectively then violent ones, SMS's were used during the EDSA II rebellion. Violent revolution often has the effect of not working (Ireland tried for how many hundreds of years) or placing a dictator in power (Palestine, Cambodia, Cuba). Since the end of WWII, more stable democracies have been formed by non-violent means then violent ones. So you're desire to incite violence in the Iranian people is misguided at best but I'd describe it as retarded.

Iran's (the government of Iran) problem is that it's never had to deal with a large population of 20 yr olds, now it does and the 20 yr olds are disaffected. They dont know how bad the Shah was and only know that the current government is oppressive. Violent revolutions often have the opposite effect of what the instigator intends, so if the Iranian youth start fire-bombing government buildings then it has just as much chance of backfiring and forcing people to rally around the government. Take the recent unrest in Thailand. Initially the red shirts were garnering support from much of Thailand and around the world as they were painting themselves as the oppressed, well until they started bombing BTS stations. In the end, people said the Thai government was right to take military actions and that the Thai military was very restrained as only 40 people killed, on the other hand the red shirts torched one of Bangkok's largest shopping centres further eroding support and strengthening the Thai government.

NONE of the revolutionary examples you cite were revolts against _religious_fanatic_ masters.

BTW I'm not inciting revolution. I'm observing what is required to displace ruthless people who are inspired by an imaginary celestial friend.

The Iranians aren't going anywhere, because Iran is far too comfortable for revolt. Revolutions don't usually happen when there is no freedom, they happen when there isn't enough food. Nothing to see here.

I don't care if Iran revolts or not. Democracy would just make them a mo

NONE of the revolutionary examples you cite were revolts against _religious_fanatic_ masters.

Neither is Iran, they are no more religious then the Filipino government (except they are the "right" religion for you) but the Filipino's did it, twice. Yes the PNP (Philipino National Police) will lock you up if you upset the religious leaders, having been there, you dont state you're anti-Christian as almost every native Filipino is very devout, especially the ones in power. It's the only time in my life I've e